Editor’s discover: The current article is authored by the danger researcher Aaron Jornet Product sales, additionally known as RexorVc0. You will discover him on X and LinkedIn.
HawkEye, additionally known as PredatorPain (Predator Ache), is a malware categorized as a keylogger, nonetheless by means of the years, it has adopted new functionalities that align it with the capabilities of various devices like stealers.
Historic previous of HawkEye
HawkEye emerged sooner than 2010, with knowledge of its use and sale courting once more to 2008, making it pretty long-lived. After a variety of spearphishing campaigns by which this well-known malware was related, it gained important status starting in 2013.
This keylogger has been on the market on quite a few darkish web sites, even having devoted websites the place the instrument was purchased. Nonetheless, this keylogger has been cracked for years and utilized by utterly completely different actors with out going by the subscription approach imposed by its creators, whose worth ranged between $20 and $50. This has contributed to its continued notoriety, and it has been used not solely by authorized actors however as well as by script kiddies on account of its ease of use.
Although it is not one of many essential extensively used malwares, it stays in energetic use and observed a serious resurgence all through the COVID interval. All through this time, certain actors took advantage of the ultimate hysteria to amass agency data by phishing campaigns.
Furthermore, HawkEye has been used along with completely different loaders and/or malware that invoked this keylogger. Over its prolonged trajectory, quite a few actors and malware have been involved in assaults on companies, just a few of which embrace Galleon Gold, Mikroceen, iSPY crypter related to Gold Skyline, Remcos used on campaigns with HawkEye, Pony used on campaigns with HawkEye, and so forth.
Technical Analysis
The tactic of HawkEye’s provide has numerous all by means of its historic previous, as have the types of sources behind the assaults. Nevertheless, it has been primarily involved in spearphishing campaigns, the place attackers devised convincing eventualities to trick victims into downloading the malicious file, which might probably be a doc, compressed file, or one different malware performing as a loader for the keylogger.
It has moreover been used to deal with websites of portals often accessed by companies, which have been the precept targets of the attacking groups. One different frequent strategy of spreading HawkEye was by “free” software program program, which turned out to be malware in disguise.
HawkEye’s provide methods are pretty quite a few compared with completely different malware. Nonetheless, its execution and habits have remained comparatively fixed by means of the years. A habits graph of what has been observed in present months would look as follows:
In the midst of the analysis course of, I often spend weeks, even months, gathering samples to know how they function as a whole based on the current variants. Resulting from this truth, we’d observe variations amongst these launched. In most executions, we encounter big bushes of processes based on their actions.
To simplify, as you’ve seen throughout the earlier graph, it’s not as sophisticated compared with completely different stealers or RATs. It usually consists of an executable that drops others in non everlasting paths, then injects code into one in all them or proper right into a .NET-related software program program. Later, in memory, it gathers all attainable data and sends it to a C&C.
Going straight to the aim, in an preliminary execution of certainly one of many samples I analyzed, we see a considerably intensive course of—a succession of execution copies launched in non everlasting paths.
On this event, they used the RoamingTemplates path, nonetheless that’s extraordinarily variable counting on who created it. Sometimes speaking, they’ve an inclination to abuse paths like AppDataRoaming and AppDataTemp, which might be conventional alternatives.
Proper right here’s the guidelines of paths observed for dropping recordsdata:
- C:Prospects
AppDataLocalTemp - C:Prospects
AppDataRoaming - C:Prospects
AppDataRoamingMicrosoftWindowsTemplates - C:Prospects
AppDataLocalTempSystem - C:Prospects
Music
All of these recordsdata that are launched, and which we’ve observed executing throughout the earlier step, are copies of themselves. The filenames are moreover extraordinarily variable, as you might anticipate, nonetheless they usually try to have an icon that makes the sufferer assume it’s a good program, or the malware description is probably altered to make it appear like respected software program program.
Lastly, after evaluating the dropped recordsdata, we are going to see they’re simple copies of the distinctive, with the particularity that some variations launch them in hidden mode, so you could’t see them till you’ve enabled the “View hidden recordsdata” function in Dwelling home windows.
All through these file droppings, we are going to encounter every replicas of the distinctive file in a number of paths, along with help recordsdata whose efficiency is often to establish persistence (or look at if it’s already achieved, and if not, do it) and to hold out injector options, which is a attribute of this malware. On this case, the smaller binary is accountable for these actions.
I look at to see if there’s any shared knowledge between the two binaries and see that certain parts of the code match the distinctive. It’s going to develop into associated later, as correct now we’re seeing them individually, nonetheless each half will make sense afterward.
After this step, we are going to see how persistence is established. PredatorPain isn’t solely a malware that establishes persistence as quickly as—it’s been observed to look at and arrange persistence as a lot as three utterly completely different situations, counting on the phases (Loader > Injector > Payload).
This makes it clear that the malware is about to persist on the system, a technique or one different. At this stage, to stay away from revealing persistence mechanisms by strings, it obfuscates a string after which decodes it to introduce, on this case, certainly one of many binaries launched earlier. This apply isn’t as frequent and supplies a level of sophistication not current in numerous samples.
Not solely does it create persistence throughout the registry, nonetheless we moreover uncover samples that arrange persistence in duties using directions like the subsequent:
schtasks.exe /Create /TN "" /XML "" After observing its habits throughout the early phases, we delve deeper into your full execution thread all by means of the analysis half with debugging. I’ve adopted a variety of samples, and they also’re principally associated—samples in .NET, typically obfuscated with devices like Confuser, Eaz, Reactor, or associated, which might be comparatively easy to deobfuscate.
In most samples, I seen heavy interaction with sources, which may develop into important shortly since I observed a serious amount of data in these sources all through a whole lot of the samples I found.
Throughout the malware’s preliminary phases, it seems for the working course of (which might be the beforehand prepared copy), the place it will possibly look at the PID to entry the sources. Inside these sources, we see two distinct kinds of code: the preliminary half, which acts as a key, and the data chunk, which is what shall be deobfuscated. To comprehend this, it makes use of XOR + Poly, and on the end of the strategy, it extracts a Transportable Executable.
It would most likely try this in quite a few strategies counting on the sample, nonetheless we see the similar extraction of a binary from a helpful useful resource as we do from obfuscated code in memory, just like the occasion confirmed beneath.
The outcomes of this half is 2 extracted recordsdata—one can be the injector, and the alternative can be the Keylogger.
I in distinction every recordsdata, and they also’re absolutely utterly completely different, in dimension, in development—the one frequent problem is that every are .NET binaries.
To highlight the excellence between the injector dropped on disk (Correct) and the one extracted from memory (Left), we are going to look at the extended content material materials. We’ll observe how the memory-extracted injector accommodates imports related to injection that the disk mannequin doesn’t (akin to ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, and so forth.).
Proper right here we are going to observe quite a few functionalities whereas extracting the binaries, akin to self-deletion. That’s achieved to maintain up evasion and stay away from revealing its location, as a result of it drops replicas of the distinctive binary in quite a few locations, as we observed earlier.
Self-deletion and self-copy of the distinctive binary (Image 2)
Considered one of many dropped recordsdata, the smaller one, acts as a result of the injector. When extracted from memory, it has additional functionalities than the one seen on disk. It is as a result of the injection duties are carried out all through runtime, nonetheless the written file is unquestionably a portion of this, triggering the precept binary located throughout the non everlasting path.
It checks persistence and restarts your full course of, along with injection. Resulting from this truth, it’s a part of the file with out revealing all of its functionalities. I’ll current you the way in which it performs injection using Course of Hollowing.
In essence, the injector doesn’t have far more efficiency. It contains a half the place it checks working processes, which is an fascinating methodology to detect analysis devices or to seek out out if the strategy is already working. If not, it launches the strategy, supplies it to the registry (as seen earlier), and restarts the execution.
Lastly, we solely have the second extraction left to look at, which is HawkEye itself. I’ve encountered many variations of it, as a result of the modules included will vary significantly based on what the creator configures throughout the builder of the Keylogger itself.
Be taught to analysis cyber threats
See an in depth info to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Study full info
We’ll focus on additional about this later, nonetheless you might even see the entire functionalities that could be added all through its creation, which may impression the modules included into it.
At this stage, I carried out exams with a variety of builders to verify this precept, as I had extracted a variety of samples to the final word half, and practically none of them resembled each other an extreme quantity of. I examined by eradicating or together with selections, and even with the similar sample, there have been important variations, so you could take into consideration how utterly completely different it might be if it’s not exactly the similar mannequin of the keylogger and utterly completely different components have been chosen all through its creation.
At this stage, we merely wish to have a look at the payload’s functionalities. Upon first look, we are going to see strings that reveal its nature—this sample didn’t anticipate anyone to realize this stage, as a result of it has three well-defined phases that conceal its tracks, nonetheless proper right here we are going to see many indicators of what it is.
Overview of the extracted HawkEye (Image 1)
In the midst of the execution of this explicit module, we are going to observe it invoking vbc.exe as a result of it injects the payload into this course of, using the similar strategies we’ve beforehand seen.
Regarding the modules it brings, I in distinction three utterly completely different samples, and so they’re pretty associated by means of what they are going to do. The ultimate functionalities that often match embrace:
- Keylogging (Monitoring and stealing keyboard and clipboard data)
- System knowledge gathering (OS, HW, Group)
- Credential theft (Mail, FTP, browsers, video video video games, and so forth.)
- Pockets theft
- Screenshot seize
- Security software program program detection
- Analysis devices detection (Dbg, website guests, and so forth.)
- Persistence (typically by means of registry keys or Duties)
- Data exfiltration by quite a few methods (FTP, HTTP, SMTP, and so forth.)
Calling HawkEye a keylogger is principally an oversimplification, as a result of it performs additional options than many stealers I’ve seen. As quickly as injected into vbc.exe or completely different processes, it carries out quite a few actions talked about above.
Outro
As we talked about earlier, utterly completely different groups have used this keylogger, along with unbiased criminals and even script kiddies. In my evaluation, I found utterly completely different places the place this keylogger was purchased—there have been as a lot as 4-5 utterly completely different web sites, as a result of it modified builders and domains over time, which is form of frequent.
It has moreover been distributed by cracks, the place it was purchased or equipped on boards to members, avoiding the usual membership expenses or markets, offering it for very low funds compared with the standard worth, which as we talked about earlier, ranged from $20 to $50.
It’s always important with these kinds of devices to seek out the distinctive software program program in a number of variations to know the way in which it really works from every the sufferer’s and the attacker’s views, so we are going to get an entire view of the malware
Proper right here, we are going to see that the builder provides numerous configuration selections, allowing us to resolve on the place to ship the stolen knowledge (e mail, FTP, and so forth.), what we want to accumulate (browser info, FTP credentials, mail, and so forth.), whether or not or to not look at for certain devices, arrange persistence, delete data, receive from a website (this would possibly function as a downloader for various malware), change the payload data to make it seem as if respected software program program (e.g., altering the icon, description, and so forth.). As you might even see, it’s extraordinarily full. After compiling, we’ll have our full Keylogger, Stealer, or Downloader (identify it what you may, as a result of it does each half) ready to utilize.
I don’t want to repeat myself an extreme quantity of, nonetheless when evaluating the variations we’ve seen and extracted with these we created ourselves, they function exactly the similar—comparable injections, persistence, data theft (or irrespective of was chosen throughout the builder). Resulting from this truth, in telemetry, we gained’t uncover any surprises, as you might even see beneath.
After analyzing all of this, I hope you are as impressed as I am by the sheer versatility and longevity HawkEye has displayed over the various years. It’s actually a tremendously extremely efficient and easy-to-use instrument that, sadly, we’ll proceed to see in security incidents from actors of all types.
Lastly, I want to thanks for learning this analysis and for supporting me.
About ANY.RUN
ANY.RUN helps better than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that concentrate on every Dwelling home windows and Linux methods. Our threat intelligence merchandise, TI Lookup, YARA Search and Feeds, present assist to find IOCs or recordsdata to be taught additional regarding the threats and reply to incidents faster.
With ANY.RUN you could:
- Detect malware in seconds
- Work along with samples in precise time
- Save time and cash on sandbox setup and maintenance
- Doc and analysis all options of malware habits
- Collaborate collectively together with your crew
- Scale as you need
Request free trial of ANY.RUN’s merchandise →
Detection Options
[TA0005][T1036] Duplication of distinctive recordsdata in non everlasting paths
- (WriteFile) C:Prospects
AppDataLocalTemp*.exe - (WriteFile) C:Prospects
AppDataRoaming*.exe - (WriteFile) C:Prospects
AppDataRoamingMicrosoftWindowsTemplates*.exe - (WriteFile) C:Prospects
AppDataLocalTempSystem*.exe - (WriteFile) C:Prospects
Music*.exe
[TA0003][T1053] Scheduled Exercise persistence
- schtasks.exe /Create /TN “
” /XML “ ”
[TA0003][T1547.001] Registry Run Keys persistence
- (Registry) HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
- (ValueData)
[TA0005][T1055.012] Course of injection on vbc or itself
- From file in non everlasting folder > injection > vbc.exe
- From file in non everlasting folder > injection > Totally different unidentified file in comparable non everlasting path
[TA0009][T1074.001] Save stolen info on txt recordsdata
- vbc.exe /stext “*AppDataLocalTempholdermail.txt”
[TA0009][T1113] Saving screenshots of the sufferer’s show
- (WriteFile / Regex NameFile) screenshotd{1}.jpeg
[TA0006][T1555] Queries to browser paths or third-party software program program to amass shopper account knowledge
- (Registry/Path query) Web Info | login data | Accounts | Profiles | Cookiesindex.dat | profiles.ini | *.oeaccount
TTPs
[TA0001][T1566.001] SpearPhishing
[TA0002][T1204] Individual Execution
[TA0003][T1053] Scheduled Exercise/Job
[TA0003][T1547.001] Registry Run Keys / Startup Folder
[TA0005][T1112] Modify Registry
[TA0005][T1564.001] Hidden Info and Directories
[TA0005][T1055] Course of Injection
[TA0005][T1562] Impair Defenses
[TA0005][T1027] Obfuscated Info or Data
[TA0005][T1140] Deobfuscate/Decode Info or Data
[TA0005][T1036] Masquerading
[TA0005][T1497] Virtualization/Sandbox Evasion
[TA0006][T1552] Unsecured Credentials
[TA0006][T1555] Credentials from Password Retailers
[TA0007][T1087] Account Discovery
[TA0007][T1518.001] Security Software program program Discovery
[TA0007][T1033] System Proprietor/Individual Discovery
[TA0007][T1012] Query Registry
[TA0007][T1016] System Group Configuration Discovery
[TA0007][T1518] Software program program Discovery
[TA0007][T1082] System Data Discovery
[TA0009][T1074.001] Native Info Staging
[TA0009][T1005] Info from Native System
[TA0009][T1560] Archive Collected Info
[TA0009][T1114] E mail Assortment
[TA0009][T1115] Clipboard Info
[TA0009][T1113] Show Seize
[TA0011][T1105] Ingress Instrument Change
[TA0011][T1071] Software program Layer Protocol
[TA0011][T1571] Non-Commonplace Port
[TA0042][T1583.008] Malvertising
IOCs
60fabd1a2509b59831876d5e2aa71a6b
defc51f31f6c4fa89cc6a39a62d8a08f
dea59d578e0e64728780fb67dde7d96d
040058f70ffdee6398f7b64ae1ea46d3
e651dca5c850451cdba7f25cbb4134e7
de823ba5d67de8682e6d7b8b472dbbcb
25a2d98dfcf6a12ea6459882c56aa2e0
179b219afa2ac15b14affd399273148b
38a3cb547a0a19a61534792f572f08b0
addcd85e0126e63e46da09eb8ea97120
0a2f6501a36c1b13532139e3c1843109
addcd85e0126e63e46da09eb8ea97120
06916c9505da82f63a73768c6f336192
ab264deb2563dc4df8b281b18e0861ba
66[.]147[.]236[.]46
204[.]141[.]42[.]56
129[.]204[.]194[.]84
Aaron Jornet Product sales (RexorVc0)
I am a threat researcher who spends his working time analysing TTPs and malwares of authorized groups and APTs and in my spare time, I typically give consideration to the similar form of stuff.
Aaron Jornet Product sales (RexorVc0)
Danger researcher
